ruby-ldapserver 0.3.1

data/lib/ldap/server/server.rb

@@ -0,0 +1,89 @@
+require 'ldap/server/connection'
+require 'ldap/server/operation'
+require 'openssl'
+
+module LDAP
+class Server
+
+  attr_accessor :root_dse
+
+  DEFAULT_OPT = {
+      :port=>389,
+      :nodelay=>true,
+  }
+
+  # Create a new server. Options include all those to tcpserver/preforkserver
+  # plus:
+  #   :operation_class=>Class			- set Operation handler class
+  #   :operation_args=>[...]			- args to Operation.new
+  #   :ssl_key_file=>pem, :ssl_cert_file=>pem	- enable SSL
+  #   :ssl_ca_path=>directory			- verify peer certificates
+  #   :schema=>Schema				- Schema object
+  #   :namingContexts=>[dn, ...]		- base DN(s) we answer
+
+  def initialize(opt = DEFAULT_OPT)
+    @opt = opt
+    @opt[:server] = self
+    @opt[:operation_class] ||= LDAP::Server::Operation
+    @opt[:operation_args] ||= []
+    LDAP::Server.ssl_prepare(@opt)
+    @schema = opt[:schema]	# may be nil
+    @root_dse = Hash.new { |h,k| h[k] = [] }.merge({
+	'objectClass' => ['top','openLDAProotDSE','extensibleObject'],
+	'supportedLDAPVersion' => ['3'],
+	#'altServer' =>
+	#'supportedExtension' =>
+	#'supportedControl' =>
+	#'supportedSASLMechanisms' =>
+    })
+    @root_dse['subschemaSubentry'] = [@schema.subschema_dn] if @schema
+    @root_dse['namingContexts'] = opt[:namingContexts] if opt[:namingContexts]
+  end
+
+  # create opt[:ssl_ctx] from the other ssl options
+
+  def self.ssl_prepare(opt) # :nodoc:
+    if opt[:ssl_key_file] and opt[:ssl_cert_file]
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.key = OpenSSL::PKey::RSA.new(File::read(opt[:ssl_key_file]))
+      ctx.cert = OpenSSL::X509::Certificate.new(File::read(opt[:ssl_cert_file]))
+      if opt[:ssl_ca_path]
+        ctx.ca_path = opt[:ssl_ca_path]
+        ctx.verify_mode = 
+          OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
+      else
+        $stderr.puts "Warning: SSL peer certificate won't be verified"
+      end
+      opt[:ssl_ctx] = ctx
+    end
+  end
+
+  def run_tcpserver
+    require 'ldap/server/tcpserver'
+
+    opt = @opt
+    @thread = LDAP::Server.tcpserver(@opt) do
+      LDAP::Server::Connection::new(self,opt).handle_requests
+    end
+  end
+
+  def run_prefork
+    require 'ldap/server/preforkserver'
+
+    opt = @opt
+    @thread = LDAP::Server.preforkserver(@opt) do
+      LDAP::Server::Connection::new(self,opt).handle_requests
+    end
+  end
+
+  def join
+    @thread.join
+  end
+
+  def stop
+    @thread.raise Interrupt, "" # <= temporary fix for 1.8.6
+    @thread.join
+  end
+
+end # class Server
+end # module LDAP

data/lib/ldap/server/syntax.rb

@@ -0,0 +1,235 @@
+module LDAP
+class Server
+
+  # A class which describes LDAP SyntaxDescriptions. For now there is
+  # a global pool of Syntax objects (rather than each Schema object
+  # having its own set)
+
+  class Syntax
+    attr_reader :oid, :nhr, :binary, :desc
+
+    # Create a new Syntax object
+
+    def initialize(oid, desc=nil, opt={}, &blk)
+      @oid = oid
+      @desc = desc
+      @nhr = opt[:nhr]		# not human-readable?
+      @binary = opt[:binary]	# binary encoding forced?
+      @re = opt[:re]		# regular expression for parsing
+      @def = nil
+      instance_eval(&blk) if blk
+    end
+
+    def to_s
+      @oid
+    end
+
+    # Create a new Syntax object, given its description string
+
+    def self.from_def(str, &blk)
+      m = LDAPSyntaxDescription.match(str)
+      raise LDAP::ResultError::InvalidAttributeSyntax,
+        "Bad SyntaxTypeDescription #{str.inspect}" unless m
+      new(m[1], m[2], :nhr=>(m[3] == 'TRUE'), :binary=>(m[4] == 'TRUE'), &blk)
+    end
+
+    # Convert this object to its description string
+
+    def to_def
+      return @def if @def
+      ans = "( #@oid "
+      ans << "DESC '#@desc' " if @desc
+      # These are OpenLDAP extensions
+      ans << "X-BINARY-TRANSFER-REQUIRED 'TRUE' " if @binary
+      ans << "X-NOT-HUMAN-READABLE 'TRUE' " if @nhr
+      ans << ")"
+      @def = ans
+    end
+
+    # Return true or a MatchData object if the given value is allowed
+    # by this syntax
+
+    def match(val)
+      return true if @re.nil?
+      @re.match(value_to_s(val))
+    end
+
+    # Convert a value for this syntax into its canonical string representation
+    # (not yet used, but seemed like a good idea)
+
+    def value_to_s(val)
+      val.to_s
+    end
+
+    # Convert a string value for this syntax into a Ruby-like value
+    # (not yet used, but seemed like a good idea)
+
+    def value_from_s(val)
+      val
+    end
+
+    @@syntaxes = {}
+
+    # Add a new syntax definition
+
+    def self.add(*args, &blk)
+      s = new(*args, &blk)
+      @@syntaxes[s.oid] = s
+    end
+
+    # Find a Syntax object given an oid. If not known, return a new empty
+    # Syntax object associated with this oid.
+
+    def self.find(oid)
+      return oid if oid.nil? or oid.is_a?(LDAP::Server::Syntax)
+      return @@syntaxes[oid] if @@syntaxes[oid]
+      add(oid)
+    end
+
+    # Return all known syntax objects
+
+    def self.all_syntaxes
+      @@syntaxes.values.uniq
+    end
+
+    # Shared constants for regexp-based syntax parsers
+
+    KEYSTR = "[a-zA-Z][a-zA-Z0-9;-]*"
+    NUMERICOID = "( \\d[\\d.]+\\d )"
+    WOID = "\\s* ( #{KEYSTR} | \\d[\\d.]+\\d ) \\s*"
+    _WOID = "\\s* (?: #{KEYSTR} | \\d[\\d.]+\\d ) \\s*"
+    OIDS = "( #{_WOID} | \\s* \\( #{_WOID} (?: \\$ #{_WOID} )* \\) \\s* )"
+    _QDESCR = "\\s* ' #{KEYSTR} ' \\s*"
+    QDESCRS = "( #{_QDESCR} | \\s* \\( (?:#{_QDESCR})+ \\) \\s* )"
+    QDSTRING = "\\s* ' (.*?) ' \\s*"
+    NOIDLEN = "(\\d[\\d.]+\\d) (?: \\{ (\\d+) \\} )?"
+    ATTRIBUTEUSAGE = "(userApplications|directoryOperation|distributedOperation|dSAOperation)"
+
+  end
+
+  class Syntax
+
+    # These are the 'SHOULD' support syntaxes from RFC2252 section 6
+
+    AttributeTypeDescription =
+    add("1.3.6.1.4.1.1466.115.121.1.3", "Attribute Type Description", :re=>
+    %r! \A \s* \( \s*
+	    #{NUMERICOID} \s*
+	(?: NAME #{QDESCRS} )?
+	(?: DESC #{QDSTRING} )?
+	(   OBSOLETE \s* )?
+	(?: SUP #{WOID} )?
+	(?: EQUALITY #{WOID} )?
+	(?: ORDERING #{WOID} )?
+	(?: SUBSTR #{WOID} )?
+	(?: SYNTAX \s* #{NOIDLEN} \s* )?	# capture 2
+	(   SINGLE-VALUE \s* )?
+	(   COLLECTIVE \s* )?
+	(   NO-USER-MODIFICATION \s* )?
+	(?: USAGE \s* #{ATTRIBUTEUSAGE} )?
+    \s* \) \s* \z !xu)
+
+    add("1.3.6.1.4.1.1466.115.121.1.5", "Binary", :nhr=>true)
+    # FIXME: value_to_s should BER-encode the value??
+
+    add("1.3.6.1.4.1.1466.115.121.1.6", "Bit String", :re=>/\A'([01]*)'B\z/)
+    # FIXME: convert to FixNum?
+
+    add("1.3.6.1.4.1.1466.115.121.1.7", "Boolean", :re=>/\A(TRUE|FALSE)\z/) do
+      def self.value_to_s(v)
+        return v if v.is_a?(string)
+        v ? "TRUE" : "FALSE"
+      end
+      def self.value_from_s(v)
+        v.upcase == "TRUE"
+      end
+    end
+
+    add("1.3.6.1.4.1.1466.115.121.1.8", "Certificate", :binary=>true, :nhr=>true)
+    add("1.3.6.1.4.1.1466.115.121.1.9", "Certificate List", :binary=>true, :nhr=>true)
+    add("1.3.6.1.4.1.1466.115.121.1.10", "Certificate Pair", :binary=>true, :nhr=>true)
+    add("1.3.6.1.4.1.1466.115.121.1.11", "Country String", :re=>/\A[A-Z]{2}\z/i)
+    add("1.3.6.1.4.1.1466.115.121.1.12", "Distinguished Name")
+    # FIXME: validate DN?
+    add("1.3.6.1.4.1.1466.115.121.1.15", "Directory String")
+    # missed due to lack of interest: "DIT Content Rule Description"
+    add("1.3.6.1.4.1.1466.115.121.1.22", "Facsimile Telephone Number")
+    add(" 1.3.6.1.4.1.1466.115.121.1.23", "Fax", :nhr=>true)
+    add("1.3.6.1.4.1.1466.115.121.1.24", "Generalized Time")
+    # FIXME: Validate Generalized Time (find X.208) and convert to/from Ruby Time
+    add("1.3.6.1.4.1.1466.115.121.1.26", "IA5 String")
+    add("1.3.6.1.4.1.1466.115.121.1.27", "Integer", :re=>/\A\d+\z/) do
+      def self.value_from_s(v)
+        v.to_i
+      end
+    end
+    add("1.3.6.1.4.1.1466.115.121.1.28", "JPEG", :nhr=>true)
+    MatchingRuleDescription =
+    add("1.3.6.1.4.1.1466.115.121.1.30", "Matching Rule Description", :re=>
+    %r! \A \s* \( \s*
+	    #{NUMERICOID} \s*
+	(?: NAME #{QDESCRS} )?
+	(?: DESC #{QDSTRING} )?
+	(   OBSOLETE \s* )?
+	    SYNTAX \s* #{NUMERICOID} \s*
+    \s* \) \s* \z !xu)
+    MatchingRuleUseDescription =
+    add("1.3.6.1.4.1.1466.115.121.1.31", "Matching Rule Use Description", :re=>
+    %r! \A \s* \( \s*
+	    #{NUMERICOID} \s*
+	(?: NAME #{QDESCRS} )?
+	(?: DESC #{QDSTRING} )?
+	(   OBSOLETE \s* )?
+	    APPLIES \s* #{OIDS} \s*
+    \s* \) \s* \z !xu)
+    add("1.3.6.1.4.1.1466.115.121.1.33", "MHS OR Address")
+    add("1.3.6.1.4.1.1466.115.121.1.34", "Name And Optional UID")
+    # missed due to lack of interest: "Name Form Description"
+    add("1.3.6.1.4.1.1466.115.121.1.36", "Numeric String", :re=>/\A\d+\z/)
+    ObjectClassDescription =
+    add("1.3.6.1.4.1.1466.115.121.1.37", "Object Class Description", :re=>
+    %r! \A \s* \( \s*
+	#{NUMERICOID} \s*
+	(?: NAME #{QDESCRS} )?
+	(?: DESC #{QDSTRING} )?
+	(   OBSOLETE \s* )?
+	(?: SUP #{OIDS} )?
+	(?: ( ABSTRACT|STRUCTURAL|AUXILIARY ) \s* )?
+	(?: MUST #{OIDS} )?
+	(?: MAY #{OIDS} )?
+    \s* \) \s* \z !xu)
+    add("1.3.6.1.4.1.1466.115.121.1.38", "OID", :re=>/\A#{WOID}\z/xu)
+    add("1.3.6.1.4.1.1466.115.121.1.39", "Other Mailbox")
+    add("1.3.6.1.4.1.1466.115.121.1.41", "Postal Address") do
+      def self.value_from_s(v)
+        v.split(/\$/)
+      end
+      def self.value_to_s(v)
+        return v.join("$") if v.is_a?(Array)
+        return v
+      end
+    end
+    add("1.3.6.1.4.1.1466.115.121.1.43", "Presentation Address")
+    add("1.3.6.1.4.1.1466.115.121.1.44", "Printable String")
+    add("1.3.6.1.4.1.1466.115.121.1.50", "Telephone Number")
+    add("1.3.6.1.4.1.1466.115.121.1.53", "UTC Time")
+
+    LDAPSyntaxDescription =
+    add("1.3.6.1.4.1.1466.115.121.1.54", "LDAP Syntax Description", :re=>
+    %r! \A \s* \( \s*
+	    #{NUMERICOID} \s*
+	(?: DESC #{QDSTRING} )?
+	(?: X-BINARY-TRANSFER-REQUIRED \s* ' (TRUE|FALSE) ' \s* )?
+	(?: X-NOT-HUMAN-READABLE \s* ' (TRUE|FALSE) ' \s* )?
+    \s* \) \s* \z !xu)
+
+    # Missed due to lack of interest: "DIT Structure Rule Description"
+
+    # A few others from RFC2252 section 4.3.2
+    add("1.3.6.1.4.1.1466.115.121.1.4", "Audio", :nhr=>true)
+    add("1.3.6.1.4.1.1466.115.121.1.40", "Octet String")
+    add("1.3.6.1.4.1.1466.115.121.1.58", "Substring Assertion")
+  end
+    
+end # class Server
+end # module LDAP

data/lib/ldap/server/tcpserver.rb

@@ -0,0 +1,91 @@
+require 'socket'
+
+module LDAP
+class Server
+
+  # Accept connections on a port, and for each one start a new thread
+  # and run the given block. Returns the Thread object for the listener.
+  #
+  # FIXME:
+  # - have a limit on total number of concurrent connects
+  # - have a limit on connections from a single IP, or from a /24
+  #   (to avoid the trivial DoS that the first limit creates)
+  # - ACL using source IP address (or perhaps that belongs in application)
+  #
+  # Options:
+  #   :port=>port number [required]
+  #   :bindaddr=>"IP address"
+  #   :user=>"username"				- drop privileges after bind
+  #   :group=>"groupname"			- ditto
+  #   :logger=>object				- implements << method
+  #   :listen=>number				- listen queue depth
+  #   :nodelay=>true				- set TCP_NODELAY option
+
+  def self.tcpserver(opt, &blk)
+    logger = opt[:logger] || $stderr
+    server = TCPServer.new(opt[:bindaddr] || "0.0.0.0", opt[:port])
+
+    # Drop privileges if requested
+    require 'etc' if opt[:group] or opt[:user]
+    Process.gid = Process.egid = Etc.getgrnam(opt[:group]).gid if opt[:group]
+    Process.uid = Process.euid = Etc.getpwnam(opt[:user]).uid if opt[:user]
+   
+    # Typically the O/S will buffer response data for 100ms before sending.
+    # If the response is sent as a single write() then there's no need for it.
+    if opt[:nodelay]
+      begin
+        server.setsockopt(Socket::IPPROTO_TCP, Socket::TCP_NODELAY, 1)
+      rescue Exception
+      end
+    end
+    # set queue size for incoming connections (default is 5)
+    server.listen(opt[:listen]) if opt[:listen]
+
+    Thread.new do
+      while true
+        begin
+          session = server.accept
+          # subtlety: copy 'session' into a block-local variable because
+          # it will change when the next session is accepted
+          Thread.new(session) do |s|
+            begin
+              s.instance_eval(&blk)
+            rescue Exception => e
+              logger << "[#{s.peeraddr[3]}]: #{e}: #{e.backtrace[0]}\n"
+              #logger << "[#{s.peeraddr[3]}]: #{e}: #{e.backtrace.join("\n\tfrom ")}\n"
+            ensure
+              s.close
+            end
+          end
+        rescue Interrupt
+          # This exception can be raised to shut the server down
+          server.close if server and not server.closed?
+          break
+        end
+      end
+    end
+  end
+
+end # class Server
+end # module LDAP
+
+if __FILE__ == $0
+  # simple test
+  puts "Running a test POP3 server on port 1110"
+  t = LDAP::Server.tcpserver(:port=>1110) do
+    print "+OK I am a fake POP3 server\r\n"
+    while line = gets
+      case line
+      when /^quit/i
+        break
+      when /^crash/i
+        raise Errno::EPERM, "dammit!"
+      else
+        print "-ERR I don't understand #{line}"
+      end
+    end
+    print "+OK bye\r\n"
+  end
+  #sleep 10; t.raise Interrupt	# uncomment to run for fixed time period
+  t.join
+end 

data/lib/ldap/server/util.rb

@@ -0,0 +1,88 @@
+require 'ldap/server/result'
+
+module LDAP
+class Server
+
+  class Operation
+
+    # Return true if connection is not authenticated
+
+    def anonymous?
+      @connection.binddn.nil?
+    end
+
+    # Split dn string into its component parts, returning
+    #  [ {attr=>val}, {attr=>val}, ... ]
+    #
+    # This is pretty horrible legacy stuff from X500; see RFC2253 for the
+    # full gore. It's stupid that the LDAP protocol sends the DN in string
+    # form, rather than in ASN1 form (as it does with search filters, for
+    # example), even though the DN syntax is defined in terms of ASN1!
+    #
+    # Attribute names are downcased, but values are not. For any
+    # case-insensitive attributes it's up to you to downcase them.
+    #
+    # Note that only v2 clients should add extra space around the comma.
+    # This is accepted, and so is semicolon instead of comma, but the
+    # full RFC1779 backwards-compatibility rules (e.g. quoted values)
+    # are not implemented.
+    #
+    # I *think* these functions will work correctly with UTF8-encoded
+    # characters, given that a multibyte UTF8 character does not contain
+    # the bytes 00-7F and therefore we cannot confuse '\', '+' etc
+
+    def self.split_dn(dn)
+      # convert \\ to \5c, \+ to \2b etc
+      dn2 = dn.gsub(/\\([ #,+"\\<>;])/) { "\\%02x" % $1[0] }
+
+      # Now we know that \\ and \, do not exist, it's safe to split
+      parts = dn2.split(/\s*[,;]\s*/)
+
+      parts.collect do |part|
+        res = {}
+
+        # Split each part into attr=val+attr=val
+        avs = part.split(/\+/)
+
+        avs.each do |av|
+          # These should all be of form attr=value
+          unless av =~ /^([^=]+)=(.*)$/
+            raise LDAP::ResultError::ProtocolError, "Bad DN component: #{av}"
+          end
+          attr, val = $1.downcase, $2
+          # Now we can decode those bits
+          attr.gsub!(/\\([a-f0-9][a-f0-9])/i) { $1.hex.chr }
+          val.gsub!(/\\([a-f0-9][a-f0-9])/i) { $1.hex.chr }
+          res[attr] = val
+        end
+        res
+      end
+    end
+
+    # Reverse of split_dn. Join [elements...]
+    # where each element can be {attr=>val,...} or [[attr,val],...]
+    # or just [attr,val]
+
+    def self.join_dn(elements)
+      dn = ""
+      elements.each do |elem|
+        av = ""
+        elem = [elem] if elem[0].is_a?(String)
+        elem.each do |attr,val|
+          av << "+" unless av == ""
+
+          av << attr << "=" <<
+                     val.sub(/^([# ])/, '\\\\\\1').
+                     sub(/( )$/, '\\\\\\1').
+                     gsub(/([,+"\\<>;])/, '\\\\\\1')
+        end
+        dn << "," unless dn == ""
+        dn << av
+      end
+      dn
+    end
+
+  end # class Operation
+
+end # class Server
+end # module LDAP